Session Tracker Feature
Resolution
PAN-OS 6.0, 6.1
Details
PAN-OS 6.0 introduced a session tracker feature in the CLI command, show session id, and is displayed at the bottom line of the output of show session id <id #> as tracker stage firewall.
At various phases during packet processing, a session may close due to causes such as:
- Session denied or time out
- Dropped packets due to threat various treat conditions
- Reset by any of end hosts
The purpose of the session tracker is to feature the precise reasons for mitigation actions taken on particular sessions. The information provided may be useful for retroactive analysis and most of the time reduce need for issue reproduction, which is often not successful.
There are multiple tracker stage statuses, such as:
- Aged out - Occurs when a session closes due to aging out
- TCP FIN - Occurs when a TCP FIN is used to close half or both sides of a connection
- TCP RST - client - Occurs when the client sends a TCP reset to the server
- TCP RST - server - Occurs when the server sends a TCP reset to the client
- appid policy lookup deny - Occurs when a session matches a security policy with a deny or drop action
- mitigation tdb - Occurs when a session ends due to a threat detection
- resource limit - Occurs when a session is set to drop due to a system resource limitation such as exceeding the number of out of order packets allowed per flow or the global out of order packet queue. Many other reasons will roll up to this reason.
- host service - Traffic destined for firewall but service not allowed or enabled
Example of the show session id command with tracker stage line is shown below:
> show session id 4632
Session 4632
c2s flow:
source: 192.168.210.103 [trust]
dst: 198.172.88.58
proto: 6
sport: 4475 dport: 80
state: INIT type: FLOW
src user: unknown
dst user: unknown
pbf rule: wt-VPNTest 1
s2c flow:
source: 198.172.88.58 [VPN]
dst: 192.168.210.103
proto: 6
sport: 80 dport: 4475
state: INIT type: FLOW
src user: unknown
dst user: unknown
start time : Mon Sep 9 16:39:06 2013
timeout : 30 sec
total byte count(c2s) : 1063
total byte count(s2c) : 1461
layer7 packet count(c2s) : 12
layer7 packet count(s2c) : 10
[…..]
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : True
captive portal session : False
ingress interface : ethernet1/6
egress interface : tunnel.179
session QoS rule : N/A (class 4)
tracker stage firewall : TCP FIN
The following command lists all the sessions that have the "tracker stage" flag enabled:
> show log traffic direction equal backward show-tracker equal yes
Time App From Src Port Source
Rule Action To Dst Port Destination
Src User Dst User Session Info
===============================================================================
2013/09/09 16:44:01 flash trust 4433 192.168.210.103
TCP-logging allow VPN 80 74.125.239.124
TCP FIN
2013/09/09 16:44:00 incomplete untrust 52405 10.30.6.210
allow-any allow untrust 135 10.30.14.212
Aged out
2013/09/09 16:40:25 ms-update trust 4402 192.168.210.103
TCP-logging allow VPN 80 96.17.148.40
TCP RST – client
owner: djoksimovic